[CERT-daily] Tageszusammenfassung - Montag 28-04-2014

Daily end-of-shift report team at cert.at
Mon Apr 28 18:09:20 CEST 2014


=======================
= End-of-Shift report =
=======================

Timeframe:   Freitag 25-04-2014 18:00 − Montag 28-04-2014 18:00
Handler:     Robert Waldner
Co-Handler:  n/a

*** Using Facebook Notes to DDoS any website ***
---------------------------------------------
Facebook Notes allows users to include  tags. Whenever a  tag is used, Facebook crawls the image from the external server and caches it. Facebook will only cache the image once however using random get parameters the cache can be by-passed and the feature can be abused to cause a huge HTTP GET flood.
---------------------------------------------
http://chr13.com/2014/04/20/using-facebook-notes-to-ddos-any-website/




*** Mozilla entschlackt Zertifkats-Überprüfung ***
---------------------------------------------
Statt 81.865 sind jetzt nur noch 4167 Zeilen Code zum überprüfen von SSL-Zertifikaten nötig. Wer Sicherheitslücken in darin findet, erhält einen üppigen Finderlohn.
---------------------------------------------
http://www.heise.de/security/meldung/Mozilla-entschlackt-Zertifkats-Ueberpruefung-2177285.html




*** Examining the Heartbleed-based FUD thats pitched to the public ***
---------------------------------------------
The Heartbleed vulnerability has created a massive news cycle, and generated technical risk-based discussions that might actually do some good. But some of these discussions boggle the mind, spreading misinformation in order to generate clicks or sales.When security issues hit the mass media, such as Heartbleed, there is a good deal of Fear, Uncertainty, and Doubt - better known as FUD - that gets promoted on the airwaves and in print.
---------------------------------------------
http://www.csoonline.com/article/2148461/application-security/examining-the-heartbleed-based-fud-thats-pitched-to-the-public.html#tk.rss_applicationsecurity




*** Sicherheitslücke bei Messaging-App Viber aufgedeckt ***
---------------------------------------------
Bilder, Videos und Standortdaten, die man mit der Messaging-App Viber übermittelt, werden unverschlüsselt auf Servern gespeichert. Der Zugang dazu ist äußerst einfach.
---------------------------------------------
http://futurezone.at/digital-life/sicherheitsluecke-bei-messaging-app-viber-aufgedeckt/62.729.710





*** Microsoft Warns of Attacks on IE Zero-Day ***
---------------------------------------------
Microsoft is warning Internet Explorer users about active attacks that attempt to exploit a previously unknown security flaw in every supported version of IE. The vulnerability could be used to silently install malicious software without any help from users, save for perhaps merely browsing to a hacked or malicious site.
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/PUm3t0AZZzc/




*** Neue Internet-Explorer-Lücke wird zum Ernstfall für Windows XP ***
---------------------------------------------
Wird bereits aktiv ausgenutzt - Kein Update mehr für XP, andere Betriebssystemversion derzeit ebenfalls noch ungeschützt
---------------------------------------------
http://derstandard.at/1397521804143




*** Biggest EU cyber security exercise to date: Cyber Europe 2014 taking place today ***
---------------------------------------------
Today, 28 April 2014, European countries kick off the Cyber Europe 2014 (CE2014). CE2014 is a highly sophisticated cyber exercise, involving more than 600 security actors across Europe.
---------------------------------------------
http://www.enisa.europa.eu/media/press-releases/biggest-eu-cyber-security-exercise-to-date-cyber-europe-2014-taking-place-today




*** Cisco IOS XE Software Malformed L2TP Packet Vulnerability ***
---------------------------------------------
A vulnerability in the Layer 2 Tunneling Protocol (L2TP) module of Cisco IOS XE on Cisco ASR 1000 Series Routers could allow an authenticated, remote attacker to cause a reload of the processing ESP card.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2183




*** Security updates available for Adobe Flash Player (APSB14-13) ***
---------------------------------------------
A Security Bulletin (APSB14-13) has been published regarding security updates for Adobe Flash Player. These updates address a critical vulnerability, and Adobe recommends users update their product installations to the latest versions
---------------------------------------------
http://blogs.adobe.com/psirt/?p=1093






More information about the Daily mailing list