[CERT-daily] Tageszusammenfassung - Donnerstag 20-08-2015

Thu Aug 20 18:09:53 CEST 2015

=======================
= End-of-Shift report =
=======================

Timeframe:   Mittwoch 19-08-2015 18:00 − Donnerstag 20-08-2015 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** Inside the Unpatched OS X Vulnerabilities ***
---------------------------------------------
Italian researcher Luca Todesco explains how exploiting two vulnerabilities in OS X gain enable root access for a hacker. He wont, however, say why he went public with details and exploit code before Apple patched.
---------------------------------------------
http://threatpost.com/inside-the-unpatched-os-x-vulnerabilities/114344


*** Three bypasses and a fix for one of Flashs Vector. mitigations ***
---------------------------------------------
Posted by Chris Evans, Cookie MonsterWith the release of Flash 18.0.0.209, two mitigations were introduced to combat abuse of Vector corruptions -- we covered these in a previous blog post. Flash 18.0.0.232 has just been released and it includes a change to the way one of the mitigations is implemented, to address Project Zero bug 482.This blog post notes some ways to bypass the way Adobe implemented the Vector. length checking mitigation. They are already fixed. It's not uncommon for new...
---------------------------------------------
http://googleprojectzero.blogspot.com/2015/08/three-bypasses-and-fix-for-one-of.html


*** AdBlocker Plus exploit puts OSX users at risk ***
---------------------------------------------
A visit to the Apple store will give any consumer a false sense of security, you will be told that by buying a Mac you are safe from threats and malware. I have...
---------------------------------------------
http://www.webroot.com/blog/2015/08/19/adblocker-plus-puts-osx-at-risk/


*** Evaluating the security of open source software ***
---------------------------------------------
The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation, is developing a new free Badge Program, seeking input from the open source community on the criteria to be used to ...
---------------------------------------------
http://www.net-security.org/secworld.php?id=18786


*** A light-weight forensic analysis of the AshleyMadison Hack ***
---------------------------------------------
So Ashley Madison(AM) got hacked, it was first announced about a month ago and the attackers claimed theyd drop the full monty of user data if the AM website did not cease operations. The AM parent company Avid Life Media(ALM) did not cease business operations for the site and true to their word; the attackers seemed of have leaked everything they promised on August 18th 2015 including:...
---------------------------------------------
http://blog.includesecurity.com/2015/08/forensic-analysis-of-the-AshleyMadison-Hack.html


*** Popular Tools for Brute-force Attacks ***
---------------------------------------------
The brute-force attack is still one of the most popular password cracking methods. Nevertheless, it is not just for password cracking. Brute-force attacks can also be used to discover hidden pages and content in a web application. This attack is basically "a hit and try" until you succeed. This attack sometimes takes longer, but its...
---------------------------------------------
http://resources.infosecinstitute.com/popular-tools-for-brute-force-attacks/


*** Web.de und GMX führen PGP-Verschlüsselung für Mail ein ***
---------------------------------------------
Sehr einfach zu bedienen, aber dennoch sicher soll die PGP-Erweiterung der Mail-Dienste von Web.de und GMX sein, die sich per Web-Oberfläche und Mobil-Apps nutzen lässt.
---------------------------------------------
http://heise.de/-2786133


*** Yet another Android security flaw: This time EVERYTHING is affected ***
---------------------------------------------
Multitasking security flap places entire user base at risk of neer-do-well activity Security researchers have discovered yet another source of security flaws in Android. This time the problem affects the mobile operating systems multitasking functionality rather than the handling of multimedia messages, the crux of a cyber of recent vulnerabilities* including the infamous Stagefright flaw.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/08/20/android_multitasking_flaw/


*** [R1] Apache Vulnerabilities Affects Tenable SecurityCenter ***
---------------------------------------------
http://www.tenable.com/security/tns-2015-11


*** Cisco Aggregation Services Router ASR 5000 and ASR 5500 OSPF Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=40585


*** VU#276148: Dedicated Micros DVR products use plaintext protocols and require no password by default ***
---------------------------------------------
Vulnerability Note VU#276148 Dedicated Micros DVR products use plaintext protocols and require no password by default Original Release date: 20 Aug 2015 | Last revised: 20 Aug 2015   Overview Dedicated Micros DVR products, including the DV-IP Express, SD Advanced, SD, EcoSense, and DS2, by default use plaintext protocols and require no password.  Description CWE-311: Missing Encryption of Sensitive DataDedicated Micros DVR products by default use HTTP, telnet, and FTP rather than secure
---------------------------------------------
http://www.kb.cert.org/vuls/id/276148


*** Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-003 ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CORE-2015-003Project: Drupal core Version: 6.x, 7.xDate: 2015-August-19Security risk: 18/25 ( Critical) AC:Complex/A:User/CI:All/II:All/E:Proof/TD:AllVulnerability: Cross Site Scripting, Access bypass, SQL Injection, Open Redirect, Multiple vulnerabilitiesThis security advisory fixes multiple vulnerabilities. See below for a list.Cross-site Scripting - Ajax system - Drupal 7A vulnerability was found that allows a malicious user to perform a cross-site scripting attack by
---------------------------------------------
https://www.drupal.org/SA-CORE-2015-003