[CERT-daily] Tageszusammenfassung - Dienstag 25-10-2016

Tue Oct 25 18:05:43 CEST 2016

=======================
= End-of-Shift report =
=======================

Timeframe:   Montag 24-10-2016 18:00 − Dienstag 25-10-2016 18:00
Handler:     Alexander Riepl
Co-Handler:  n/a

*** iOS 10.1 ***
---------------------------------------------
https://support.apple.com/kb/HT207271

*** IoT Device Maker Vows Product Recall, Legal Action Against Western Accusers ***
---------------------------------------------
A Chinese electronics firm pegged by experts as responsible for making many of the components leveraged in last weeks massive attack that disrupted Twitter and ..
---------------------------------------------
https://krebsonsecurity.com/2016/10/iot-device-maker-vows-product-recall-legal-action-against-western-accusers/

*** Locky Ransomwares new .SHIT Extension shows that you cant Polish a Turd ***
---------------------------------------------
To further show how ransomware is such a pile of crap, a new version of Locky has been released that appends the .shit extension on encrypted files. Like previous ..
---------------------------------------------
http://www.bleepingcomputer.com/news/security/locky-ransomwares-new-shit-extension-shows-that-you-cant-polish-a-turd/

*** DSA-3698 php5 - security update ***
---------------------------------------------
Several vulnerabilities were found in PHP, a general-purpose scriptinglanguage commonly used for web application development.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3698

*** Critical Patch Update - October 2016 ***
---------------------------------------------
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

*** Kryptologe Hellman: NSA propagiert mittlerweile Verschlüsselung ***
---------------------------------------------
Daten verlässlich zu verschlüsseln auch für Sicherheit von Staaten wichtig – Zusammensetzen sicherer Komponenten macht außerdem noch lange kein sicheres System
---------------------------------------------
http://derstandard.at/2000046466661

*** Wosign und Startcom: Mozilla veröffentlicht Details des TLS-Rauswurfs ***
---------------------------------------------
Mozillas Firefox-Browser wird keine TLS-Zertifikate der beiden skandalträchtigen Certificate Authorities mehr akzeptieren. Wie dies genau umgesetzt wird, hat die Stiftung nun erläutert.
---------------------------------------------
http://www.golem.de/news/wosign-und-startcom-mozilla-veroeffentlicht-details-des-tls-rauswurfs-1610-124022.html

*** Certificate Transparency: Betrug mit TLS-Zertifikaten wird fast unmöglich ***
---------------------------------------------
Alle TLS-Zertifizierungsstellen müssen ab nächstem Herbst ihre Zertifikate vor der Ausstellung in ein öffentliches Log eintragen. Mittels Certificate Transparency kann Fehlverhalten bei der Zertifikatsausstellung leichter entdeckt werden - das TLS-Zertifikatssystem insgesamt wird vertrauenswürdiger.
---------------------------------------------
http://www.golem.de/news/certificate-transparency-betrug-mit-tsl-zertifikaten-wird-fast-unmoeglich-1610-124024.html

*** [20161002] - Core - Elevated Privileges ***
---------------------------------------------
Incorrect use of unfiltered data allows for users to register on a site with elevated privileges. Affected Installs Joomla! CMS versions 3.4.4 through 3.6.3 Solution Upgrade to ..
---------------------------------------------
https://developer.joomla.org/security-centre/660-20161002-core-elevated-privileges.html

*** [20161001] - Core - Account Creation ***
---------------------------------------------
Inadequate checks allows for users to register on a site when registration has been disabled. Affected Installs Joomla! CMS versions 3.4.4 ..
---------------------------------------------
https://developer.joomla.org/security-centre/659-20161001-core-account-creation.html

*** BSI: Deutschland soll vernetzte Geräte besser schützen ***
---------------------------------------------
Nach einem Angriff auf die Internet-Infrastruktur hat das Bundesamt für Sicherheit in der Informationstechnik (BSI) höhere Sicherheitsstandards verlangt.
---------------------------------------------
https://futurezone.at/netzpolitik/bsi-deutschland-soll-vernetzte-geraete-besser-schuetzen/227.261.380

*** Vulnerabilities in Slack could have led to account hijacking ***
---------------------------------------------
Persistence pays off as security researcher nets bug bounty for unearthing an access control bypass allowing attackers to reset passwords if they know the usernames.
---------------------------------------------
http://www.scmagazine.com/vulnerabilities-in-slack-could-have-led-to-account-hijacking/article/567995/

*** task_t considered harmful ***
---------------------------------------------
Posted by Ian Beer, Project ZeroThis post discusses a design issue at the core of the XNU kernel which powers iOS and MacOS. Apple have shipped two iterations of mitigations followed yesterday by a large refactor in MacOS 10.12.1/iOS ..
---------------------------------------------
http://googleprojectzero.blogspot.com/2016/10/posted-by-ian-beer-project-zero-this.html

Aufgrund des Feiertages am morgigen Mittwoch, den 26.10.2016, erscheint der nächste End-of-Shift Report erst am 27.10.2016.