[CERT-daily] Tageszusammenfassung - 13.12.2018

Thu Dec 13 18:13:46 CET 2018

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 12-12-2018 18:00 − Donnerstag 13-12-2018 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Captchas are dead...ish. ∗∗∗
---------------------------------------------
According to a recently published research paper, some types of Captchas are now obsolete. The reason: machines have learned to solve those Captchas.
---------------------------------------------
https://www.gdatasoftware.com/blog/2018/12/31374-captchas-are-dead-ish


∗∗∗ OWASP Top 10 Security Risks – Part III ∗∗∗
---------------------------------------------
Today, we are going to explore items 5 and 6: broken access control and security misconfigurations.
---------------------------------------------
https://blog.sucuri.net/2018/12/owasp-top-10-security-risks-part-iii.html


∗∗∗ Wichtiges Sicherheitsupdate: WordPress 5.0.1 ist da ∗∗∗
---------------------------------------------
Aufgrund von mehreren Sicherheitslücken könnten Angreifer mit WordPress erstellte Websites attackieren. Eine fehlerbereinigte Version steht bereit.
---------------------------------------------
http://heise.de/-4249500


∗∗∗ Scanning for Flaws, Scoring for Security ∗∗∗
---------------------------------------------
Is it fair to judge an organizations information security posture simply by looking at its Internet-facing assets for weaknesses commonly sought after and exploited by attackers, such as outdated software or accidentally exposed data and devices? Fair or not, a number of nascent efforts are using just such an approach to derive security scores for companies and entire industries.
---------------------------------------------
https://krebsonsecurity.com/2018/12/scanning-for-flaws-scoring-for-security/


∗∗∗ Vorsicht bei gamestar4.com ∗∗∗
---------------------------------------------
Der Online-Shop gamestar4.com, mit angeblichem Sitz in Wien, ist betrügerisch. Auf gamestar4.com finden Sie neben Haushaltszubehör und Elektrogeräten, billige Spielkonsolen, die als Wochendeals beworben werden. Bestellen Sie bei gamestar4.com, verlieren Sie Ihr Geld, übermitteln Betrüger/innen sensible Daten und erhalten keine Ware.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-bei-gamestar4com/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr), Fedora (singularity), openSUSE (compat-openssl098, cups, firefox, mozilla-nss, and xen), and SUSE (cups, exiv2, ghostscript, and git).
---------------------------------------------
https://lwn.net/Articles/774845/


∗∗∗ Linux kernel vulnerability CVE-2018-5390 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K95343321


∗∗∗ IBM Security Bulletin: IBM® DB2® contains a denial of service vulnerability in scalar functions (CVE-2018-1977) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-db2-contains-a-denial-of-service-vulnerability-in-scalar-functions-cve-2018-1977/


∗∗∗ IBM Security Bulletin: Financial Transaction Manager for ACH Services is affected by a potential cross-site scripting (XSS) vulnerability (CVE-2018-1871) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-financial-transaction-manager-for-ach-services-is-affected-by-a-potential-cross-site-scripting-xss-vulnerability-cve-2018-1871/


∗∗∗ IBM Security Bulletin: Cross-Site Scripting vulnerability in IBM Business Automation Workflow (CVE-2018-1848) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-cross-site-scripting-vulnerability-in-ibm-business-automation-workflow-cve-2018-1848/


∗∗∗ IBM Security Bulletin: Potential MITM attack in Apache CXF used by IBM Event Streams (CVE-2018-8039) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-potential-mitm-attack-in-apache-cxf-used-by-ibm-event-streams-cve-2018-8039/


∗∗∗ IBM Security Bulletin: IBM Security Directory Server is affected by multiple vulnerabilities in GSKit ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-directory-server-is-affected-by-multiple-vulnerabilities-in-gskit/


∗∗∗ IBM Security Bulletin: IBM Security Directory Server is affected by a vulnerability in GSKit ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-directory-server-is-affected-by-a-vulnerability-in-gskit/


∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Directory Server ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-security-directory-server/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily