Security Flaws & Fixes - W/E - 12/14/18
Adobe Squashes Nearly 90 Bugs in Acrobat Update (12/11/2018)
Adobe's Acrobat has received security updates to mitigate against 87 vulnerabilities. The bugs affect the Windows and macOS versions of Acrobat. Successful exploitation could lead to arbitrary code execution in the context of the current user.
Adobe's Acrobat has received security updates to mitigate against 87 vulnerabilities. The bugs affect the Windows and macOS versions of Acrobat. Successful exploitation could lead to arbitrary code execution in the context of the current user.
Chrome for Desktop Receives Security Update (12/12/2018)
The Chrome browser has been updated to version 71.0.3578.98 for Windows, Mac, and Linux. Google noted in the update notes that this release contains one security fix for a use-after-free bug in PDFium.
The Chrome browser has been updated to version 71.0.3578.98 for Windows, Mac, and Linux. Google noted in the update notes that this release contains one security fix for a use-after-free bug in PDFium.
Despite Recommendations, Cybersecurity Concerns Remain for Federal Agencies (12/12/2018)
The Government Accountability Office has made about 3,000 recommendations to federal agencies since 2010 to improve the security of federal IT systems. As of November, 688 of the security-related recommendations had not been implemented. Specifically, these recommendations identified actions for agencies to take to strengthen their information security programs and technical controls over their computer networks and systems. Further information is available from a GAO report.
The Government Accountability Office has made about 3,000 recommendations to federal agencies since 2010 to improve the security of federal IT systems. As of November, 688 of the security-related recommendations had not been implemented. Specifically, these recommendations identified actions for agencies to take to strengthen their information security programs and technical controls over their computer networks and systems. Further information is available from a GAO report.
Firefox 64 Is Now Available from Mozilla (12/11/2018)
Mozilla has released Firefox 64 and updates for Firefox ESR. These updates resolve a number of security issues and vulnerabilities.
Mozilla has released Firefox 64 and updates for Firefox ESR. These updates resolve a number of security issues and vulnerabilities.
Hacks Possible for Remote Control Chargers for Electric Vehicles (12/13/2018)
Electric vehicles are prone to cyber attacks due to the remote control of the charging process, which is an easy target for hackers, the researchers at Kaspersky Lab suggest. They assessed ChargePoint's Home, which supports both Wi-Fi and Bluetooth wireless technologies and enables an end user to remotely control the charging process with a mobile application. In a registered state, the device establishes a connection to the remote backend server, which is used to transfer the user's commands from the application. The application makes it possible to remotely change the maximum consumable current and to start and stop the charging process. The researchers identified a method in which the application can be triggered to a factory reset, resulting in all information being wiped.
Electric vehicles are prone to cyber attacks due to the remote control of the charging process, which is an easy target for hackers, the researchers at Kaspersky Lab suggest. They assessed ChargePoint's Home, which supports both Wi-Fi and Bluetooth wireless technologies and enables an end user to remotely control the charging process with a mobile application. In a registered state, the device establishes a connection to the remote backend server, which is used to transfer the user's commands from the application. The application makes it possible to remotely change the maximum consumable current and to start and stop the charging process. The researchers identified a method in which the application can be triggered to a factory reset, resulting in all information being wiped.
Microsoft Swats 30+ Bugs, Including Zero-Day Kernel Hole, in December Batch of Fixes (12/12/2018)
Microsoft has mitigated more than 30 vulnerabilities in Windows and other software, thanks to its monthly release of patches for the month of December. One of the issues, which is a zero-day flaw, is being exploited in the wild, is available on all supported versions of Windows, and enables an attacker to elevate privileges on a host system. This particular bug, which affects the Windows kernel, was reported to Microsoft by Kaspersky Lab, which provided a blog post on the vulnerability. Kaspersky has warned that a new threat group called SandCat is actively exploiting this bug.
Microsoft has mitigated more than 30 vulnerabilities in Windows and other software, thanks to its monthly release of patches for the month of December. One of the issues, which is a zero-day flaw, is being exploited in the wild, is available on all supported versions of Windows, and enables an attacker to elevate privileges on a host system. This particular bug, which affects the Windows kernel, was reported to Microsoft by Kaspersky Lab, which provided a blog post on the vulnerability. Kaspersky has warned that a new threat group called SandCat is actively exploiting this bug.
Philips HealthSuite Health Android App Plagues by Unpatched Encryption Bug (12/10/2018)
Philips HealthSuite Health Android App is affected by a vulnerability that could allow an attacker with physical access to impact confidentiality and integrity of the product. Although a fix will be made available in early 2019, an ICS-CERT advisoryoffers mitigation techniques and further information.
Philips HealthSuite Health Android App is affected by a vulnerability that could allow an attacker with physical access to impact confidentiality and integrity of the product. Although a fix will be made available in early 2019, an ICS-CERT advisoryoffers mitigation techniques and further information.
Popular Messaging Apps May Not Be as Secure as Users Expect (12/11/2018)
Cisco's team of Talos researchers uncovered information that the end-to-end encryption utilized by the Telegram, WhatsApp, and Signal messaging apps may not be as secure as users think. While the apps' content communication is encrypted between parties thanks to protocols, it may not be secure during processing or once the data reaches a user's device. The protocols, MT Protocol and Signal Protocol, also don't manage group enrollment on these applications.
Cisco's team of Talos researchers uncovered information that the end-to-end encryption utilized by the Telegram, WhatsApp, and Signal messaging apps may not be as secure as users think. While the apps' content communication is encrypted between parties thanks to protocols, it may not be secure during processing or once the data reaches a user's device. The protocols, MT Protocol and Signal Protocol, also don't manage group enrollment on these applications.
Rockwell Automation Recommends Firmware Update for MicroLogix Products (12/10/2018)
Rockwell Automation's MicroLogix 1400 Controllers and 1756 ControlLogix Communications Modules require a firmware update to mitigate missing authentication within a critical function. For those who cannot update their firmware, an advisory has been posted by the ICS-CERT and offers mitigation techniques.
Rockwell Automation's MicroLogix 1400 Controllers and 1756 ControlLogix Communications Modules require a firmware update to mitigate missing authentication within a critical function. For those who cannot update their firmware, an advisory has been posted by the ICS-CERT and offers mitigation techniques.
SAP Bids Vulnerabilities Adieu with December Release of Fixes (12/12/2018)
SAP has included 12 bulletins within its December Security Patch Day release of vulnerability fixes. Included is a patch for a cross-site scripting vulnerability in SAP Hybris Commerce storefronts and an update to April's security note for the browser control Chromium delivered with SAP Business Client. These two were rated as "Hot News" or the most critical by the vendor.
SAP has included 12 bulletins within its December Security Patch Day release of vulnerability fixes. Included is a patch for a cross-site scripting vulnerability in SAP Hybris Commerce storefronts and an update to April's security note for the browser control Chromium delivered with SAP Business Client. These two were rated as "Hot News" or the most critical by the vendor.
Siemens Advises on Vulnerabilities in December Batch of Bulletins (12/11/2018)
Siemens issued multiple advisories regarding vulnerabilities across its product lines. The December 11 releases address such issues as a denial-of-service condition in the vendor's industrial products, missing authentication in TIM 1531 IRC modules; and a heap overflow in SCALANCE X Switches and other products. Siemens also warned that McAfee's Application and Change Control, which is used by its SINAMICS PERFECT HARMONY GH180, affects various product serial numbers.
Siemens issued multiple advisories regarding vulnerabilities across its product lines. The December 11 releases address such issues as a denial-of-service condition in the vendor's industrial products, missing authentication in TIM 1531 IRC modules; and a heap overflow in SCALANCE X Switches and other products. Siemens also warned that McAfee's Application and Change Control, which is used by its SINAMICS PERFECT HARMONY GH180, affects various product serial numbers.
Update Alleviates Vulnerability in GE Proficy GDS (12/10/2018)
GE's Proficy GDS has a critical issue that might enable an attacker to initiate an OPC UA session and retrieve an arbitrary file. Users should update to Version 2.1 or newer. The ICS-CERT posted an advisory with additional details.
GE's Proficy GDS has a critical issue that might enable an attacker to initiate an OPC UA session and retrieve an arbitrary file. Users should update to Version 2.1 or newer. The ICS-CERT posted an advisory with additional details.