Security Flaws & Fixes - W/E - 12/7/18
Adobe Updates Flash to Boot Critical Vulnerability (12/05/2018)
Adobe squashed two bugs in Flash Player due to issues that could result in an arbitrary code execution and a privilege escalation. Further details have been posted in an advisory. The zero day arbitrary code execution bug was being exploited by a Microsoft Office document.
Adobe squashed two bugs in Flash Player due to issues that could result in an arbitrary code execution and a privilege escalation. Further details have been posted in an advisory. The zero day arbitrary code execution bug was being exploited by a Microsoft Office document.
Google Alleviates Over 50 Vulnerabilities with December Security Bulletin (12/05/2018)
Google's December bulletin of security fixes for Android remedies 53 total bugs, including 11 critical vulnerabilities. Of those zero-day holes, six were remote code execution issues linked to Android's Media Framework and System components.
Google's December bulletin of security fixes for Android remedies 53 total bugs, including 11 critical vulnerabilities. Of those zero-day holes, six were remote code execution issues linked to Android's Media Framework and System components.
Google Rolls Out Chrome 71 (12/05/2018)
The latest version of Chrome has been released by Google. Chrome 71 has been rolled out for Windows, Mac, Linux, and Android. The update contains 43 security fixes.
The latest version of Chrome has been released by Google. Chrome 71 has been rolled out for Windows, Mac, Linux, and Android. The update contains 43 security fixes.
INVT Electric's VT-Designer Found to Be Vulnerable (12/03/2018)
VT-Designer from INVT Electric contains a deserialization of untrusted data and a heap-based overflow vulnerability. Version 2.1.7.31 is affected, but other versions could be as well. Mitigations from the vendor haven't been released, but the ICS-CERThas published an advisory with more information.
VT-Designer from INVT Electric contains a deserialization of untrusted data and a heap-based overflow vulnerability. Version 2.1.7.31 is affected, but other versions could be as well. Mitigations from the vendor haven't been released, but the ICS-CERThas published an advisory with more information.
Kubernetes Flaw Lets Hackers Sabotage Info from a Remote Location (12/05/2018)
The Kubernetes open-source container software is vulnerable to a critical privilege escalation bug that could allow a remote attacker to gain access to data or cause production applications to crash. An advisory has been released to discuss mitigation techniques.
The Kubernetes open-source container software is vulnerable to a critical privilege escalation bug that could allow a remote attacker to gain access to data or cause production applications to crash. An advisory has been released to discuss mitigation techniques.
Omron Gives CX-One an Update to Mitigate Risks (12/04/2018)
Omron's CX-One is vulnerable to several security bugs that could allow an attacker to execute code under the privileges of the application, an ICS-CERT advisory warns. An updated version of CX-One has been issued and is available through the CX-One auto-update service.
Omron's CX-One is vulnerable to several security bugs that could allow an attacker to execute code under the privileges of the application, an ICS-CERT advisory warns. An updated version of CX-One has been issued and is available through the CX-One auto-update service.
Updated Version Fixes Reflected XSS in SCADA WebServer (12/04/2018)
A reflected cross-site scripting vulnerability in SpiderControl's SCADA WebServer could allow an attacker to execute JavaScript on the victim's browser. SpiderControl has released Version 2.03.0001, which fixes the vulnerability. The ICS-CERT also posted an advisory.
A reflected cross-site scripting vulnerability in SpiderControl's SCADA WebServer could allow an attacker to execute JavaScript on the victim's browser. SpiderControl has released Version 2.03.0001, which fixes the vulnerability. The ICS-CERT also posted an advisory.
Web Site Bug Exposed Jared, Kay Jewelers' Customer Info (12/03/2018)
Security researcher Brian Krebs reached out to Signet Jewelers, the parent company for Jared and Kay Jewelers, after receiving notification about a Web bug on both companies' Web sites that exposed online user information. KrebsOnSecurity was contacted by Brandon Sheehy who found that with a slight alteration in the link to the confirmation email he received after making a purchase from Jared's online site and pasting that information into a Web browser, he could see another customer's order, including personal information. Sheehy contacted Krebs after notifying Signet Jewelers and asking the company to patch the bug, but noticed the issues remained after several weeks. Signet told Krebs that the issue was fixed for future orders, but that it had not been remedied for past orders.
Security researcher Brian Krebs reached out to Signet Jewelers, the parent company for Jared and Kay Jewelers, after receiving notification about a Web bug on both companies' Web sites that exposed online user information. KrebsOnSecurity was contacted by Brandon Sheehy who found that with a slight alteration in the link to the confirmation email he received after making a purchase from Jared's online site and pasting that information into a Web browser, he could see another customer's order, including personal information. Sheehy contacted Krebs after notifying Signet Jewelers and asking the company to patch the bug, but noticed the issues remained after several weeks. Signet told Krebs that the issue was fixed for future orders, but that it had not been remedied for past orders.
Zero-Day Flaws Detected in Two IoT Protocols (12/03/2018)
Trend Micro has identified major design flaws and vulnerable implementations related to two machine-to-machine (M2M) protocols, Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP). The researchers identified more than 200 million MQTT messages and more than 19 million CoAP messages being leaked by exposed brokers and servers. Using simple keyword searches, malicious attackers could locate this leaked production data, identifying lucrative information on assets, personnel and technology that can be abused for targeted attacks. Attackers could remotely control Internet of Things endpoints or deny service by leveraging security issues in the design, implementation, and deployment of devices using these protocols. By abusing specific functionality in the protocols, hackers could maintain persistent access to a target to move laterally across a network.
Trend Micro has identified major design flaws and vulnerable implementations related to two machine-to-machine (M2M) protocols, Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP). The researchers identified more than 200 million MQTT messages and more than 19 million CoAP messages being leaked by exposed brokers and servers. Using simple keyword searches, malicious attackers could locate this leaked production data, identifying lucrative information on assets, personnel and technology that can be abused for targeted attacks. Attackers could remotely control Internet of Things endpoints or deny service by leveraging security issues in the design, implementation, and deployment of devices using these protocols. By abusing specific functionality in the protocols, hackers could maintain persistent access to a target to move laterally across a network.