Security Flaws & Fixes - W/E - 11/30/18
Android Police: Google to Patch Pixel 3 Vanishing SMS Flaw "Soon" (11/26/2018)
Google is believed to be preparing a patch for its Pixel 3 device to address complaints of "vanishing" SMS messages. According to Android Police, the developer has confirmed to the outlet the presence of a "bug affecting SMS/MMS on a small number of Pixel 3s," as well as its plans for an "incoming" fix. Recently, an anonymous "tipster" told the news outlet that the issue is likely related to Google's November 5, 2018 security update. "We're not entirely sure if this is a bug with the Pixel 3 itself or just the Messages app," noted Android Police, "There don't seem to be any reports of it happening on other devices."
Google is believed to be preparing a patch for its Pixel 3 device to address complaints of "vanishing" SMS messages. According to Android Police, the developer has confirmed to the outlet the presence of a "bug affecting SMS/MMS on a small number of Pixel 3s," as well as its plans for an "incoming" fix. Recently, an anonymous "tipster" told the news outlet that the issue is likely related to Google's November 5, 2018 security update. "We're not entirely sure if this is a bug with the Pixel 3 itself or just the Messages app," noted Android Police, "There don't seem to be any reports of it happening on other devices."
Critical Bugs in TP-Link Router Could Lead to DoS, RCE, Info Disclosure (11/20/2018)
Cisco has warned that multiple vulnerabilities exist in the TP-Link TL-R600VPN router. There are two root causes of the vulnerabilities: a lack of input sanitization and parsing errors. These vulnerabilities can lead to denial-of-service, information disclosure, and remote code execution. Firmware updates have been made available to remedy these vulnerabilities.
Cisco has warned that multiple vulnerabilities exist in the TP-Link TL-R600VPN router. There are two root causes of the vulnerabilities: a lack of input sanitization and parsing errors. These vulnerabilities can lead to denial-of-service, information disclosure, and remote code execution. Firmware updates have been made available to remedy these vulnerabilities.
Flash Player Update Alleviates Arbitrary Code Execution Condition (11/20/2018)
Adobe has released security updates for Flash Player for Windows, macOS, Linux, and Chrome OS. These updates address a critical vulnerability that could lead to an arbitrary code execution. Microsoft also posted an update for Flash Player that is installed on Windows operating systems.
Adobe has released security updates for Flash Player for Windows, macOS, Linux, and Chrome OS. These updates address a critical vulnerability that could lead to an arbitrary code execution. Microsoft also posted an update for Flash Player that is installed on Windows operating systems.
Google's Chrome Receives Update (11/20/2018)
Google has updated Chrome to version 70.0.3538.110 for Windows, Mac, and Linux. Among the issues resolved is a use-after-free bug in Chrome's GPU.
Google has updated Chrome to version 70.0.3538.110 for Windows, Mac, and Linux. Among the issues resolved is a use-after-free bug in Chrome's GPU.
Instagram Flaw Left Passwords Exposed in Plaintext (11/20/2018)
Instagram has patched a vulnerability in its Web site that exposed some user passwords in plaintext, The Information reported. The bug was related to a tool that Instagram debuted in April to show individuals how much information the site had compiled on them. Instagram said this issue only affected a few of its users, but did not say how many.
Instagram has patched a vulnerability in its Web site that exposed some user passwords in plaintext, The Information reported. The bug was related to a tool that Instagram debuted in April to show individuals how much information the site had compiled on them. Instagram said this issue only affected a few of its users, but did not say how many.
Mitigation Techniques Can Reduce Security Issues with Schneider Electric Modicon M221 (11/20/2018)
A vulnerability in Schneider Electric's Modicon M221 could cause a change of IPv4 configuration (IP address, mask, and gateway) when remotely connected to the device. An ICS-CERT advisory describes mitigation techniques that are recommended by the vendor.
A vulnerability in Schneider Electric's Modicon M221 could cause a change of IPv4 configuration (IP address, mask, and gateway) when remotely connected to the device. An ICS-CERT advisory describes mitigation techniques that are recommended by the vendor.
Samba Updates Fix Vulnerabilities in Different Versions (11/28/2018)
Samba has released multiple advisories to address vulnerabilities across its various versions. Users should immediately apply the updates.
Samba has released multiple advisories to address vulnerabilities across its various versions. Users should immediately apply the updates.
Security Advisories Have Been Released by Cisco (11/28/2018)
Cisco has posted advisories to address a SQL injection bug in Prime License Manager and a command injection vulnerability in Webex Meetings Desktop.
Cisco has posted advisories to address a SQL injection bug in Prime License Manager and a command injection vulnerability in Webex Meetings Desktop.
Security Issue Reported in AVEVA Vijeo Citect and Citect SCADA (11/28/2018)
An ICS-CERT advisory details an uncontrolled search path element bug in AVEVA's Vijeo Citect and Citect SCADA products. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system. AVEVA reported that a vulnerability in the Schneider Electric Software Update utility affect Vijeo Citect and Citect SCADA.
An ICS-CERT advisory details an uncontrolled search path element bug in AVEVA's Vijeo Citect and Citect SCADA products. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system. AVEVA reported that a vulnerability in the Schneider Electric Software Update utility affect Vijeo Citect and Citect SCADA.
Siemens Warns of Multiple Linux/GNU Bugs in SIMATIC Platform (11/27/2018)
Multiple vulnerabilities have been identified in the additional GNU/Linux subsystem of the current firmware version V2.6.0 for Siemens' SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP. These GNU/Linux vulnerabilities have been externally identified and will be fixed with the next firmware version. Siemens is working on an update for the firmware and has provided mitigation techniques in its advisory.
Multiple vulnerabilities have been identified in the additional GNU/Linux subsystem of the current firmware version V2.6.0 for Siemens' SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP. These GNU/Linux vulnerabilities have been externally identified and will be fixed with the next firmware version. Siemens is working on an update for the firmware and has provided mitigation techniques in its advisory.
Teledyne Sherlock Update Resolves Stack-Based Overflow Vulnerability (11/20/2018)
A stack-based overflow bug has been detected in Teledyne's Sherlock machine vision software interface. An ICS-CERT advisory recommends that users upgrade to Sherlock Version 7.2.7.5 or later.
A stack-based overflow bug has been detected in Teledyne's Sherlock machine vision software interface. An ICS-CERT advisory recommends that users upgrade to Sherlock Version 7.2.7.5 or later.
Two Apps Inadvertently Use Digital Certificates, Leave Devices Vulnerable to Attack (11/29/2018)
A third-party app company unintentionally installed digital certificates on two apps, which could result in a threat actor using them to spoof Web sites. Microsoft has warned that headset software company Sennheiser HeadSetup installed the certificates on the HeadSetup and Headsetup Pro apps. The certificate and private key are the same for anyone who downloaded these apps, which could enable a cyber thief to decrypt the private key and infiltrate any devices that the apps are installed on.
A third-party app company unintentionally installed digital certificates on two apps, which could result in a threat actor using them to spoof Web sites. Microsoft has warned that headset software company Sennheiser HeadSetup installed the certificates on the HeadSetup and Headsetup Pro apps. The certificate and private key are the same for anyone who downloaded these apps, which could enable a cyber thief to decrypt the private key and infiltrate any devices that the apps are installed on.
VMware Issues Updates for vSphere Data Protection, Workstation, and Fusion (11/20/2018)
Updates to VMware vSphere Data Protection address multiple security vulnerabilities, including a remote code execution and an information exposure. The vendor has also delivered updates for Workstation and Fusion to remedy an integer overflow bug. VMware recommends that users review the patch/release notes for the affected product and version and verify the checksum of the downloaded file.
Updates to VMware vSphere Data Protection address multiple security vulnerabilities, including a remote code execution and an information exposure. The vendor has also delivered updates for Workstation and Fusion to remedy an integer overflow bug. VMware recommends that users review the patch/release notes for the affected product and version and verify the checksum of the downloaded file.