[CERT-daily] Tageszusammenfassung - Dienstag 8-04-2014

Tue Apr 8 18:05:53 CEST 2014

=======================
= End-of-Shift report =
=======================

Timeframe:   Montag 07-04-2014 18:00 − Dienstag 08-04-2014 18:00
Handler:     Robert Waldner
Co-Handler:  n/a

*** Der GAU für Verschlüsselung im Web: Horror-Bug in OpenSSL ***
---------------------------------------------
Ein äußerst schwerwiegender Programmierfehler gefährdet offenbar Verschlüsselung, Schlüssel und Daten der mit OpenSSL gesicherten Verbindungen im Internet. Angesichts der Verbreitung der OpenSource-Biliothek eine ziemliche Katastrophe.
---------------------------------------------
http://www.heise.de/security/meldung/Der-GAU-fuer-Verschluesselung-im-Web-Horror-Bug-in-OpenSSL-2165517.html


*** VU#568252: Websense Triton Unified Security Center 7.7.3 information disclosure vulnerability ***
---------------------------------------------
Vulnerability Note VU#568252 Websense Triton Unified Security Center 7.7.3 information disclosure vulnerability Original Release date: 07 Apr 2014 | Last revised: 07 Apr 2014   Overview Websense Triton Unified Security Center 7.7.3 and possibly earlier versions contains an information disclosure vulnerability which could allow an authenticated attacker to view stored credentials of a possibly higher privileged user.   Description CWE-200: Information ExposureWhen logged into the Websense Triton
---------------------------------------------
http://www.kb.cert.org/vuls/id/568252


*** Energieversorger testet Sicherheit – und fällt durch ***
---------------------------------------------
In „Stirb langsam 4.0“ fahren Cyber-Gauner übers Internet die komplette Stromversorgung im Osten der USA herunter. Ein unrealistisches Szenario? Nicht ganz ...
---------------------------------------------
http://www.heise.de/newsticker/meldung/Energieversorger-testet-Sicherheit-und-faellt-durch-2165153.html/from/rss09?wt_mc=rss.ho.beitrag.rdf


*** The Muddy Waters of XP End-of-Life and Public Disclosures ***
---------------------------------------------
Security researchers who have privately disclosed Windows XP vulnerabilities to Microsoft may never see patches for their bugs with XPs end of life date at hand. Will there be a rash of public disclosures?
---------------------------------------------
http://threatpost.com/the-muddy-waters-of-xp-end-of-life-and-public-disclosures/105295


*** 2013 wurden Daten von über 500 Millionen Nutzern geklaut ***
---------------------------------------------
Daten von mehr als einer halben Milliarde Internet-Nutzer sind im vergangenen Jahr nach Berechnung von IT-Sicherheitsexperten bei Online-Angriffen gestohlen worden.
---------------------------------------------
http://futurezone.at/digital-life/2013-wurden-daten-von-ueber-500-millionen-nutzern-geklaut/59.792.048


*** Hintergrund: ct-Fritzbox-Test spürt verborgene Geräte auf ***
---------------------------------------------
Manche Nutzer des Fritzbox-Tests erhalten unerwartete Ergebnisse. Nicht selten sind WLAN-APs, Repeater oder andere AVM-Geräte die Ursache. Darüber hinaus gibt es auch einige Fehlerquellen, die einen händischen Test erforderlich machen können.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Hintergrund-c-t-Fritzbox-Test-spuert-verborgene-Geraete-auf-2165771.html/from/rss09?wt_mc=rss.ho.beitrag.rdf


*** The 2013 Internet Security Threat Report: Year of the Mega Data Breach ***
---------------------------------------------
Once again, it’s time to reveal the latest findings from our Internet Security Threat Report (ISTR), which looks at the current state of the threat landscape, based on our research and analysis from the past year. Key trends from this year’s report include the large increase in data breaches and targeted attacks, the evolution of mobile malware and ransomware, and the potential threat posed by the Internet of Things.
---------------------------------------------
http://www.symantec.com/connect/blogs/2013-internet-security-threat-report-year-mega-data-breach


*** Cacti Multiple Vulnerabilities ***
---------------------------------------------
Some vulnerabilities have been reported in Cacti, which can be exploited by malicious users to conduct script insertion and SQL injection attacks and compromise a vulnerable system.
 * CVE-2014-2326
 * CVE-2014-2708
 * CVE-2014-2709
---------------------------------------------
https://secunia.com/advisories/57647


*** Open-Xchange Email Autoconfiguration Information Disclosure Weakness ***
---------------------------------------------
A weakness has been reported in Open-Xchange, which can be exploited by malicious people to disclose certain sensitive information.
The weakness is caused due to the application communicating certain information via parameters of a GET request when using the email autoconfiguration, which can be exploited to disclose the account password.
---------------------------------------------
https://secunia.com/advisories/57654


*** VU#345337: J2k-Codec contains multiple exploitable vulnerabilities ***
---------------------------------------------
Vulnerability Note VU#345337 J2k-Codec contains multiple exploitable vulnerabilities Original Release date: 08 Apr 2014 | Last revised: 08 Apr 2014   Overview J2k-Codec contains multiple exploitable vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.  Description J2k-Codec is a JPEG 2000 decoding library for Windows. J2k-Codec contains multiple exploitable exploitable vulnerabilities that can lead to arbitrary code execution. 
---------------------------------------------
http://www.kb.cert.org/vuls/id/345337