Deutsch | English

[CERT-daily] Tageszusammenfassung - Freitag 5-06-2015

Daily end-of-shift report team at cert.at
Fri Jun 5 18:18:38 CEST 2015


=======================
= End-of-Shift report =
=======================

Timeframe:   Mittwoch 03-06-2015 18:00 − Freitag 05-06-2015 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter




*** Zero-Day Disclosed in Unity Web Player ***
---------------------------------------------
A zero-day vulnerability has been disclosed in the popular Unity Web Player browser plugin. The flaw allows an attacker crossdomain access to websites and services using the victims credentials.
---------------------------------------------
http://threatpost.com/zero-day-disclosed-in-unity-web-player/113124




*** PCI Council releases PA-DSS 3.1, nixes SSL, early TLS ***
---------------------------------------------
The PCI Security Standards Council revisions to PA-DSS addresses SSL vulnerabilities.
---------------------------------------------
http://feedproxy.google.com/~r/SCMagazineHome/~3/Ybnmzlufdo4/




*** Embedded: Geldautomaten sollen von XP auf Windows 10 updaten ***
---------------------------------------------
Die Branchenorganisation ATM Industry Association ruft die Hersteller dazu auf, bei Geldautomaten Windows 8 und 8.1. zu überspringen. Auf Windows XP ausruhen sollen sie sich nicht.
---------------------------------------------
http://www.golem.de/news/embedded-geldautomaten-sollen-von-xp-auf-windows-10-updaten-1506-114475-rss.html




*** ICS Amsterdam 2015 ***
---------------------------------------------
SANS ICS Amsterdam 2015 hosts five dedicated training courses for those tasked with securing Industrial Control Systems as well as a two day ICS Security Summit. This specialist training event takes place at the Radisson Blue Amsterdam, from September 22nd - 28th.
---------------------------------------------
https://www.sans.org/event/ics-amsterdam-2015




*** Critical vulnerabilities in JSON Web Token libraries ***
---------------------------------------------
Great. So, what's wrong with that? ... Meet the "none" algorithm.
---------------------------------------------
http://ab0files.com/critical-vulnerabilities-in-json-web-token-libraries




*** Achtung: Offene Intranets verraten zu viel ***
---------------------------------------------
Viele Organisationen haben ein eigenes Intranet. Manche stellen versehentlich vertrauliche Dokumente online, die über Google auffindbar sind. Wir haben uns per Google Beispiele herausgepickt.
---------------------------------------------
http://heise.de/-2680058




*** Asprox / Kuluoz Botnet Analysis ***
---------------------------------------------
Introduction Kuluoz, aka Asprox, is a spam botnet that emerged in 2007. It has been known for sending mass of phishing emails used in conjunction with social engineering lures (e.g. booking confirmations, postal-themed spam, etc.) This article presents a view on the malware and its capabilities, how it communicates with the CnC, encryption schemes used,...
---------------------------------------------
http://resources.infosecinstitute.com/asprox-kuluoz-botnet-analysis/




*** WLAN-Trick soll Apple-Pay-Nutzern Kreditkartendaten entlocken ***
---------------------------------------------
Angreifer können die automatische WLAN-Verbindungsaufnahme von iOS dazu nutzen, um mit einem manipulierten Apple-Pay-Dialog auf Kreditkartenfang zu gehen, warnt eine Sicherheitsfirma.
---------------------------------------------
http://heise.de/-2680369




*** IBM Security Bulletins ***
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/?lang=en_us




*** McAfee ePolicy Orchestrator SSL/TLS spoofing ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/103610




*** Vulnerabilities in Cisco Products ***
---------------------------------------------

*** Cisco FireSIGHT Management Center XSS and HTML Injection Vulnerabilities ***
http://tools.cisco.com/security/center/viewAlert.x?alertId=39171

*** Cisco ONS 15454 System Software Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/viewAlert.x?alertId=39172

*** Cisco Edge 340 Privilege Escalation Vulnerability ***
http://tools.cisco.com/security/center/viewAlert.x?alertId=39187

*** Cisco TelePresence SX20 HTTP Response Splitting Vulnerability ***
http://tools.cisco.com/security/center/viewAlert.x?alertId=39210




*** XZERES 442SR Wind Turbine CSRF Vulnerability ***
---------------------------------------------
This advisory provides mitigation details for a cross-site request forgery vulnerability in XZERES's 442SR turbine generator operating system.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-155-01




*** Bugtraq: CA20150604-01: Security Notice for CA Common Services ***
---------------------------------------------
http://www.securityfocus.com/archive/1/535684


More information about the Daily mailing list
Kontakt
Email: reports@cert.at
Tel.: +43 1 5056416 78
mehr ...
Warnungen
mehr ...
Blog
mehr ...
Jahresbericht 2017
Ein Resumee zur digitalen Sicherheitslage in Österreich

(HTML, PDF).
Letzte Änderung: 2018/5/28 - 15:00:00
Haftungsausschluss / Datenschutzerklärung