[CERT-daily] Tageszusammenfassung - Mittwoch 15-10-2014

Wed Oct 15 20:46:12 CEST 2014

=======================
= End-of-Shift report =
=======================

Timeframe:   Dienstag 14-10-2014 18:00 − Mittwoch 15-10-2014 18:00
Handler:     Robert Waldner
Co-Handler:  Otmar Lendl

*** Accessing Risk for the October 2014 Security Updates ***
---------------------------------------------
Today we released eight security bulletins addressing 24 unique CVE's. Three bulletins have a maximum severity rating of Critical, and five have a maximum severity rating of Important. This table is designed to help you prioritize the deployment of updates appropriately for your environment.     Bulletin   Most likely attack vector   Max Bulletin Severity   Max exploitability   Platform mitigations and key notes     MS14-058 (Kernel mode drivers [win32k.sys])   Attacker loads a malicious
---------------------------------------------
http://blogs.technet.com/b/srd/archive/2014/10/14/accessing-risk-for-the-october-2014-security-updates.aspx


*** MS14-OCT - Microsoft Security Bulletin Summary for October 2014 - Version: 1.0 ***
---------------------------------------------
This bulletin summary lists security bulletins released for October 2014.
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS14-OCT


*** More Details About CVE-2014-4073 Elevation of Privilege Vulnerability ***
---------------------------------------------
Today Microsoft shipped MS14-057 to the .NET Framework in order to resolve an Elevation of Privilege vulnerability in the ClickOnce deployment service. While this update fixes this service, developers using Managed Distributed Component Object Model (a .NET wrapped around DCOM) need to take immediate action to ensure their applications are secure. Managed DCOM is an inherently unsafe way to perform communication between processes of different trust levels. Microsoft recommends moving
---------------------------------------------
http://blogs.technet.com/b/srd/archive/2014/10/14/more-details-about-cve-2014-4073-elevation-of-privilege-vulnerability.aspx


*** BlackBerry 10 Devices Open to Bug That Allows Malicious App Installation ***
---------------------------------------------
BlackBerry has patched a vulnerability in its BlackBerry 10 devices that could allow an attacker to intercept users' traffic to and from the BlackBerry World app store and potentially install malware on a targeted device. The vulnerability is a weakness in the integrity checking system that BlackBerry uses to verify the apps that users download.
---------------------------------------------
http://threatpost.com/blackberry-10-devices-open-to-bug-that-allows-malicious-app-installation/108830


*** An Analysis of Windows Zero-day Vulnerability "CVE-2014-4114" aka "Sandworm" ***
---------------------------------------------
Prior to the release of Microsoft's monthly patch Tuesday, a new zero-day exploiting Windows vulnerability covered in CVE-2014-4114 was reported by iSight. The said vulnerability affects desktop and server versions of Vista and Sever 2008 to current versions. It was believed to be associated in cyber attacks related to NATO by Russian cyber espionage group. 
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/jSCRsk2zaNU/


*** Analysis of Linux Backdoor Used In Freenode Hack ***
---------------------------------------------
An anonymous reader writes "A detailed analysis has been done of the Linux backdoor used in the freenode hack. It employed port knocking and encryption to provide security against others using it. This seems a little more sophisticated than your average black-hat hacker.    Read more of this story at Slashdot.
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/K3FWymutqls/story01.htm


*** Siemens OpenSSL Vulnerabilities (Update D) ***
---------------------------------------------
This updated advisory is a follow-up to the updated advisory titled ICSA-14-198-03C Siemens OpenSSL Vulnerabilities that was published August 21, 2014, on the NCCIC/ICS-CERT web site. This updated advisory provides mitigation details for vulnerabilities in the Siemens OpenSSL cryptographic software library affecting several Siemens industrial products.
---------------------------------------------
https://ics-cert.us-cert.gov//advisories/ICSA-14-198-03D


*** Oracle stopft kritische Lücken in Java ***
---------------------------------------------
Oracle hat mit seinem Oktober-Update 154 Sicherheitsupdates veröffentlicht, die fast alle Produkte des Unternehmens abdecken. Aber besonders die Sicherheitsupdates für Java sollten laut der Firma so schnell wie möglich installiert werden.
---------------------------------------------
http://www.heise.de/security/meldung/Oracle-stopft-kritische-Luecken-in-Java-2424189.html


*** Security Advisory 3009008 released ***
---------------------------------------------
Today, we released Security Advisory 3009008 to address a vulnerability in Secure Sockets Layer (SSL) 3.0 which could allow information disclosure. This is an industry-wide vulnerability that affects the protocol itself, and is not specific to Microsoft's implementation of SSL or the Windows operating system.  This advisory provides guidance for customers so that they can disable SSL 3.0 in the browser. Customers should be aware that once they disable SSL 3.0, if they visit a website that
---------------------------------------------
http://blogs.technet.com/b/msrc/archive/2014/10/14/security-advisory-3009008-released.aspx


*** October 2014 Updates ***
---------------------------------------------
Today, as part of Update Tuesday, we released eight security updates three rated Critical and five rated Important - to address 24 Common Vulnerabilities & Exposures (CVEs) in Windows, Office, .NET Framework, .ASP.NET, and Internet Explorer (IE). We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first.  Here's an overview slide and video of the security updates released today:
---------------------------------------------
http://blogs.technet.com/b/msrc/archive/2014/10/14/october-2014-updates.aspx


*** [2014-10-15] Potential Cross-Site Scripting in ADF Faces ***
---------------------------------------------
The Oracle ADF Faces framework fails to encode certain characters in the goButton component. This may lead to Cross-Site Scripting vulnerabilities in applications that use this component.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20141015-0_ADF_Faces_Potential_Cross-Site_Scripting_v10.txt


*** Bugtraq: two browser mem disclosure bugs (CVE-2014-1580 and CVE-something-or-other) ***
---------------------------------------------
two browser mem disclosure bugs (CVE-2014-1580 and CVE-something-or-other)
---------------------------------------------
http://www.securityfocus.com/archive/1/533692


*** Java Reflection API Woes Resurface in Latest Oracle Patches ***
---------------------------------------------
Oracles Critical Patch update addresses 154 vulnerabilities, many of which are remotely exploitable. Security Explorations of Poland, meanwhile, published details on a number of Java flaws in the Java Reflection API.
---------------------------------------------
http://threatpost.com/java-reflection-api-woes-resurface-in-latest-oracle-patches/108847


*** Bugtraq: Multiple Cross-Site Scripting (XSS) in WP Google Maps WordPress Plugin ***
---------------------------------------------
Multiple Cross-Site Scripting (XSS) in WP Google Maps WordPress Plugin
---------------------------------------------
http://www.securityfocus.com/archive/1/533699


*** Bugtraq: Paypal Inc MultiOrderShipping API - Filter Bypass & Persistent XML Vulnerability ***
---------------------------------------------
Paypal Inc MultiOrderShipping API - Filter Bypass & Persistent XML Vulnerability
---------------------------------------------
http://www.securityfocus.com/archive/1/533698


*** OpenSSL Releases OpenSSL 1.0.1j, 1.0.0o and 0.9.8zc, (Wed, Oct 15th) ***
---------------------------------------------
This update to the OpenSSL Library addresses 3 vulnerabilities. One of these is the POODLE vulnerability announced yesterday. CVE-2014-3513: A memory leak in parsing DTLS SRTPmessages can lead to a denial of service. You are vulnerable, unless you specificly compiled your OpenSSL library with the OPENSSL_NO_SRTP option. All 1.0.1 versions of OpenSSL are affected. CVE-2014-3567: Another memory leak that can lead to a DoS attack. In this case, memory is not free up if an SSL session ticket fails
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=18835&rss