[CERT-daily] Tageszusammenfassung - Donnerstag 12-09-2013

Daily end-of-shift report team at cert.at
Thu Sep 12 18:07:15 CEST 2013


=======================
= End-of-Shift report =
=======================

Timeframe:   Mittwoch 11-09-2013 18:00 − Donnerstag 12-09-2013 18:00
Handler:     Robert Waldner
Co-Handler:  n/a

*** NIST advises against use of random bit generator algorithm apparently backdoored by NSA ***
---------------------------------------------
"NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used," NIST says in a bulletin.
---------------------------------------------
http://www.fiercegovernmentit.com/story/nist-advises-against-use-random-bit-generator-algorithm-apparently-backdoor/2013-09-11



*** Bugtraq: OWASP Zed Attack Proxy 2.2.0 ***
---------------------------------------------
This includes support for scripts embedded in ZAP components like the active and passive scanners as well as support for Zest - a new security focused scripting language from the Mozilla security team. It also supports Mozilla Plug-n-Hack, localization in 20 languages, various minor enhancements and lots of bug fixes.
---------------------------------------------
http://www.securityfocus.com/archive/1/528553




*** Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 6.1.0.47 ***
---------------------------------------------
Cross reference list for security vulnerabilities fixed in IBM WebSphere Application Server Fix Pack 6.1.0.47    CVE ID(s):    CVE-2012-3305   CVE-2012-4853   CVE-2013-0458   CVE-2013-0461   CVE-2013-0460   CVE-2013-0459   CVE-2013-0596   CVE-2013-0541   CVE-2013-0543   CVE-2013-0462   CVE-2013-2967   CVE-2013-2976   CVE-2013-0542   CVE-2013-0544   CVE-2013-0169  CVE-2013-1768  CVE-2013-1862   CVE-2013-4005   CVE-2013-3029  CVE-2013-1896   CVE-2012-2098  CVE-2013-4053   CVE-2013-4052     
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_potential_security_vulnerabilities_fixed_in_ibm_websphere_application_server_6_1_0_47?lang=en_us




*** Technical Analysis of CVE-2013-3147 ***
---------------------------------------------
In July, Microsoft released a patch for a memory-corruption vulnerability in the Internet Explorer (IE) Web browser. The vulnerability enabled remote attackers to execute arbitrary code or cause a denial of service through a crafted or compromised website — also known as … Continue reading →
---------------------------------------------
http://www.fireeye.com/blog/technical/2013/09/technical-analysis-of-cve-2013-3147.html




*** TYPO3 CMS 6.1.5, 6.0.10, 4.7.15 and 4.5.30 released ***
---------------------------------------------
We are announcing the release of the following TYPO3 CMS updates: TYPO3 CMS 6.1.5 TYPO3 CMS 6.0.10 TYPO3 CMS 4.7.15 TYPO3 CMS 4.5.30 All versions are maintenance releases and contain bug fixes. Note: The 6.1.5 and 6.0.10 releases contain important fixes to regression which were introduced in the latest security releases (6.1.4 and 6.0.9). Releases 4.7.15 and 4.5.30 are merely bug fix releases, and increased compatibility with browsers and MySQL 5.5.
---------------------------------------------
http://typo3.org/news/article/typo3-cms-615-6010-4715-and-4530-released/




*** Wordpress-Update schließt Sicherheitslücken ***
---------------------------------------------
Mit Version 3.6.1 hat das Wordpress-Team ein wichtiges Update für seine Open-Source-Blog-Software freigegeben. 13 Fehler und drei Sicherheitslücken der vor kurzem veröffentlichten Version 3.6 wurden behoben, die Entwickler raten zur Aktualisierung.
---------------------------------------------
http://www.heise.de/security/meldung/Wordpress-Update-schliesst-Sicherheitsluecken-1955270.html




*** Analysis: Staying safe from virtual robbers ***
---------------------------------------------
The more popular online banking becomes, the more determined cybercriminals are to steal users’ money. How is money stolen with the help of malicious programs? How can you protect yourself from virtual robbery?
---------------------------------------------
http://www.securelist.com/en/analysis/204792304/Staying_safe_from_virtual_robbers




*** Office-Updates geraten in Installationsschleife ***
---------------------------------------------
Einige der am September-Patchday herausgegebene Office-Patches sind offenbar fehlerhaft. Drei der Updates hängen in einer Installationsschleife fest, eines sorgt dafür, dass Outlook nur noch eingeschränkt nutzbar ist.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Office-Updates-geraten-in-Installationsschleife-1955292.html




*** Juniper Junos Pulse Secure Access Service / Junos Pulse Access Control Service OpenSSL Multiple Vulnerabilities ***
---------------------------------------------
Juniper Junos Pulse Secure Access Service / Junos Pulse Access Control Service OpenSSL Multiple Vulnerabilities
---------------------------------------------
https://secunia.com/advisories/54777




*** Siemens SCALANCE X-200 Web Hijack Vulnerability ***
---------------------------------------------
OVERVIEWSiemens has identified a Web hijack vulnerability in the SCALANCE X-200 switch product family. Researcher Eireann Leverett of IOActive coordinated disclosure of the vulnerability with Siemens. Siemens has produced a firmware update that mitigates this vulnerability.This vulnerability could be exploited remotely.AFFECTED PRODUCTSSiemens reports that the vulnerability affects the following versions:
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-254-01





*** Firefox OS Likely to Face HTML5, Boot-to-gecko Process Attacks ***
---------------------------------------------
Excerpt: The Firefox OS, a new contender in mobile operating systems, will likely see HTML5-related attacks and assaults on a crucial operating system process, according to security vendor Trend Micro.Some mobile phone operators are already shipping devices with the Firefox OS, which comes from Mozilla, the nonprofit organization behind the Firefox desktop browser.
---------------------------------------------
http://www.cio.com/article/739475/Firefox_OS_Likely_to_Face_HTML5_Boot_to_gecko_Process_Attacks?taxonomyId=3089






More information about the Daily mailing list