[CERT-daily] Tageszusammenfassung - Freitag 16-05-2014

Fri May 16 18:09:11 CEST 2014

=======================
= End-of-Shift report =
=======================

Timeframe:   Donnerstag 15-05-2014 18:00 − Freitag 16-05-2014 18:00
Handler:     Alexander Riepl
Co-Handler:  Robert Waldner

*** CSWorks Software SQL Injection Vulnerability ***
---------------------------------------------
Researcher John Leitch, working with HP's Zero Day Initiative (ZDI), has identified an SQL injection vulnerability in CSWorks' CSWorks software framework. CSWorks has produced an updated version that mitigates this vulnerability.
This vulnerability could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov//advisories/ICSA-14-135-01


*** Statistik: Verschlüsselter Datenverkehr nimmt zu ***
---------------------------------------------
Laut einer Studie steigt seit Beginn der Enthüllungen des Whistleblowsers Edward Snowden der Anteil an SSL-verschlüsselten Verbindungen im Internet. Die Zunahmen in den USA und Europa unterscheiden sich aber.
---------------------------------------------
http://www.heise.de/security/meldung/Statistik-Verschluesselter-Datenverkehr-nimmt-zu-2191276.html


*** Torque 2.5.13 Buffer Overflow ***
---------------------------------------------
Topic: Torque 2.5.13 Buffer Overflow Risk: High Text:A buffer overflow exists in versions of TORQUE which can be exploited in order to remotely execute code from an unauthenticated...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014050086


*** Apple Releases OS X 10.9.3, Fixes Serious Flaw in iTunes ***
---------------------------------------------
Apple has released a new version of OS X Mavericks, which includes all of the security fixes it pushed out last month. OS X 10.9.3 includes the patches for the so-called triple handshake SSL vulnerability, as well as fixes for several remote code-execution vulnerabilities.
---------------------------------------------
http://threatpost.com/apple-releases-os-x-10-9-3-fixes-serious-flaw-in-itunes/106121


*** Understanding how Fuzzing Relates to a Vulnerability like Heartbleed ***
---------------------------------------------
Fuzzing is a security-focused testing technique in which a compiled program is executed so that the attack surface can be tested as it actually runs. The attack surfaces are the components of code that accept user input. Since this is the most vulnerable part of code, it should be rigorously tested with anomalous data.
---------------------------------------------
http://labs.bromium.com/2014/05/14/understanding-how-fuzzing-relates-to-a-vulnerability-like-heartbleed/


*** iTunes: Apple schließt problematische Lücke in PC-Version ***
---------------------------------------------
Das Update 11.2 stopft ein Leck, über das es unter Windows XP SP3 bis 8 möglich war, iTunes-Zugangsdaten zu stehlen.
---------------------------------------------
http://www.heise.de/security/meldung/iTunes-Apple-schliesst-problematische-Luecke-in-PC-Version-2191562.html


*** PayPal Fixes Serious Account Hijacking Bug in Manager ***
---------------------------------------------
PayPal patched a hole in its Manager functionality this week that could have made it easy for an attacker to hijack an admin's account, change their password and steal their personal information -- not to mention their savings.
---------------------------------------------
http://threatpost.com/paypal-fixes-serious-account-hijacking-bug-in-manager/106117