Security Flaws & Fixes - W/E - 092118
Adobe Fixes Bugs in Reader, Acrobat with Out-of-Band Security Advisory (09/19/2018)
Adobe released an out-of-band security bulletin to address critical vulnerabilities in Acrobat and Reader. Successful exploitation could lead to arbitrary code execution in the context of the current user.
Adobe released an out-of-band security bulletin to address critical vulnerabilities in Acrobat and Reader. Successful exploitation could lead to arbitrary code execution in the context of the current user.
Apple Pushes Updates for Various Products (09/18/2018)
Apple released security updates on September 17 for various products. Updates were issued for Safari; watchOS; tvOS; and iOS. An additional advisory was issued for iOS 11.0 and later.
Apple released security updates on September 17 for various products. Updates were issued for Safari; watchOS; tvOS; and iOS. An additional advisory was issued for iOS 11.0 and later.
Honeywell Android Mobile Computers Contain Vulnerability (09/17/2018)
A vulnerability in a system service on Honeywell's CT60, CN80, CT40, CK75, CN75, CT50, D75e, CN51, and EDA series mobile computers running Android could allow a malicious third-party application to gain elevated privileges. Google's team identified these issues, reported them to Honeywell, and then notified ICS-CERT. Honeywell recommends that users immediately upgrade to avoid risks.
A vulnerability in a system service on Honeywell's CT60, CN80, CT40, CK75, CN75, CT50, D75e, CN51, and EDA series mobile computers running Android could allow a malicious third-party application to gain elevated privileges. Google's team identified these issues, reported them to Honeywell, and then notified ICS-CERT. Honeywell recommends that users immediately upgrade to avoid risks.
Multiple Critical Bugs Detected in PHP (09/17/2018)
Multiple vulnerabilities have been discovered in the PHP programming language, the most severe of which could allow an attacker to execute arbitrary code. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition. The Center for Internet Security (CIS) has issued an advisory.
Multiple vulnerabilities have been discovered in the PHP programming language, the most severe of which could allow an attacker to execute arbitrary code. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition. The Center for Internet Security (CIS) has issued an advisory.
No Patch Available for Vulnerability in WECON PLC Editor (09/19/2018)
WECON's PLC Editor has a verified stack-based overflow vulnerability but the vendor hasn't yet issued an update. The ICS-CERT issued an advisory with mitigation techniques.
WECON's PLC Editor has a verified stack-based overflow vulnerability but the vendor hasn't yet issued an update. The ICS-CERT issued an advisory with mitigation techniques.
Peekaboo Vulnerability Found in NUUO's NVR Software (09/19/2018)
Tenable discovered two vulnerabilities in NUUO's Network Video Recorder software. The first is a critical unauthenticated stack buffer overflow called "Peekaboo" and the second is a backdoor in leftover debug code. These vulnerabilities were assessed and tested in the NVRMini2, a network-attached storage device and network video recorder. NUUO released version 3.9.1 to address the Peekaboo vulnerability. However, NUUO's software is used by third-party vendors and may not carry the NUUO name so it is not known how many vendors could be affected.
Tenable discovered two vulnerabilities in NUUO's Network Video Recorder software. The first is a critical unauthenticated stack buffer overflow called "Peekaboo" and the second is a backdoor in leftover debug code. These vulnerabilities were assessed and tested in the NVRMini2, a network-attached storage device and network video recorder. NUUO released version 3.9.1 to address the Peekaboo vulnerability. However, NUUO's software is used by third-party vendors and may not carry the NUUO name so it is not known how many vendors could be affected.
Senators Tell State Department to Tighten Up Cybersecurity Measures (09/19/2018)
Five Senators implored Secretary of State Mike Pompeo to increase security, including multi-factor authentication (MFA), for the department's information systems in a September 11 letter. They pointed out that all federal agencies are required to enable MFA for accounts that are considered to have elevated privileges as defined by the Federal Cybersecurity Enhancement Act. The Senators also referred to information from an earlier State Department Inspector General report that found that experts who tested the agency's systems "successfully exploited vulnerabilities in email accounts of Department personnel as well as Department applications and operating systems."
Five Senators implored Secretary of State Mike Pompeo to increase security, including multi-factor authentication (MFA), for the department's information systems in a September 11 letter. They pointed out that all federal agencies are required to enable MFA for accounts that are considered to have elevated privileges as defined by the Federal Cybersecurity Enhancement Act. The Senators also referred to information from an earlier State Department Inspector General report that found that experts who tested the agency's systems "successfully exploited vulnerabilities in email accounts of Department personnel as well as Department applications and operating systems."
Several Versions of BIND Affected by Critical Vulnerability. (09/19/2018)
The Internet Systems Consortium (ISC) released an advisory due to a vulnerability in multiple versions of Berkeley Internet Name Domain (BIND). A criminal could abuse this bug to alter records on a vulnerable server.
The Internet Systems Consortium (ISC) released an advisory due to a vulnerability in multiple versions of Berkeley Internet Name Domain (BIND). A criminal could abuse this bug to alter records on a vulnerable server.