[CERT-daily] Tageszusammenfassung - Freitag 5-06-2015

Fri Jun 5 18:18:38 CEST 2015

=======================
= End-of-Shift report =
=======================

Timeframe:   Mittwoch 03-06-2015 18:00 − Freitag 05-06-2015 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter


*** Zero-Day Disclosed in Unity Web Player ***
---------------------------------------------
A zero-day vulnerability has been disclosed in the popular Unity Web Player browser plugin. The flaw allows an attacker crossdomain access to websites and services using the victims credentials.
---------------------------------------------
http://threatpost.com/zero-day-disclosed-in-unity-web-player/113124


*** PCI Council releases PA-DSS 3.1, nixes SSL, early TLS ***
---------------------------------------------
The PCI Security Standards Council revisions to PA-DSS addresses SSL vulnerabilities.
---------------------------------------------
http://feedproxy.google.com/~r/SCMagazineHome/~3/Ybnmzlufdo4/


*** Embedded: Geldautomaten sollen von XP auf Windows 10 updaten ***
---------------------------------------------
Die Branchenorganisation ATM Industry Association ruft die Hersteller dazu auf, bei Geldautomaten Windows 8 und 8.1. zu überspringen. Auf Windows XP ausruhen sollen sie sich nicht.
---------------------------------------------
http://www.golem.de/news/embedded-geldautomaten-sollen-von-xp-auf-windows-10-updaten-1506-114475-rss.html


*** ICS Amsterdam 2015 ***
---------------------------------------------
SANS ICS Amsterdam 2015 hosts five dedicated training courses for those tasked with securing Industrial Control Systems as well as a two day ICS Security Summit. This specialist training event takes place at the Radisson Blue Amsterdam, from September 22nd - 28th.
---------------------------------------------
https://www.sans.org/event/ics-amsterdam-2015


*** Critical vulnerabilities in JSON Web Token libraries ***
---------------------------------------------
Great. So, what's wrong with that? ... Meet the "none" algorithm.
---------------------------------------------
http://ab0files.com/critical-vulnerabilities-in-json-web-token-libraries


*** Achtung: Offene Intranets verraten zu viel ***
---------------------------------------------
Viele Organisationen haben ein eigenes Intranet. Manche stellen versehentlich vertrauliche Dokumente online, die über Google auffindbar sind. Wir haben uns per Google Beispiele herausgepickt.
---------------------------------------------
http://heise.de/-2680058


*** Asprox / Kuluoz Botnet Analysis ***
---------------------------------------------
Introduction Kuluoz, aka Asprox, is a spam botnet that emerged in 2007. It has been known for sending mass of phishing emails used in conjunction with social engineering lures (e.g. booking confirmations, postal-themed spam, etc.) This article presents a view on the malware and its capabilities, how it communicates with the CnC, encryption schemes used,...
---------------------------------------------
http://resources.infosecinstitute.com/asprox-kuluoz-botnet-analysis/


*** WLAN-Trick soll Apple-Pay-Nutzern Kreditkartendaten entlocken ***
---------------------------------------------
Angreifer können die automatische WLAN-Verbindungsaufnahme von iOS dazu nutzen, um mit einem manipulierten Apple-Pay-Dialog auf Kreditkartenfang zu gehen, warnt eine Sicherheitsfirma.
---------------------------------------------
http://heise.de/-2680369


*** IBM Security Bulletins ***
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/?lang=en_us


*** McAfee ePolicy Orchestrator SSL/TLS spoofing ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/103610


*** Vulnerabilities in Cisco Products ***
---------------------------------------------

*** Cisco FireSIGHT Management Center XSS and HTML Injection Vulnerabilities ***
http://tools.cisco.com/security/center/viewAlert.x?alertId=39171

*** Cisco ONS 15454 System Software Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/viewAlert.x?alertId=39172

*** Cisco Edge 340 Privilege Escalation Vulnerability ***
http://tools.cisco.com/security/center/viewAlert.x?alertId=39187

*** Cisco TelePresence SX20 HTTP Response Splitting Vulnerability ***
http://tools.cisco.com/security/center/viewAlert.x?alertId=39210


*** XZERES 442SR Wind Turbine CSRF Vulnerability ***
---------------------------------------------
This advisory provides mitigation details for a cross-site request forgery vulnerability in XZERES's 442SR turbine generator operating system.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-155-01


*** Bugtraq: CA20150604-01: Security Notice for CA Common Services ***
---------------------------------------------
http://www.securityfocus.com/archive/1/535684