[CERT-daily] Tageszusammenfassung - Freitag 5-09-2014

Daily end-of-shift report team at cert.at
Fri Sep 5 18:11:17 CEST 2014


=======================
= End-of-Shift report =
=======================

Timeframe:   Donnerstag 04-09-2014 18:00 − Freitag 05-09-2014 18:00
Handler:     Robert Waldner
Co-Handler:  Alexander Riepl



*** 5 things you should know about email unsubscribe links before you click ***
---------------------------------------------
We all get emails we don't want and cleaning them up can be as easy as clicking unsubscribe at the bottom of the email. However, some of those handy little links can cause more trouble than they solve.
---------------------------------------------
http://nakedsecurity.sophos.com/2014/09/04/5-things-you-should-know-about-email-unsubscribe-links-before-clicking/




*** Google acceleration of SHA-1 deprecation draws resistance ***
---------------------------------------------
Google said Chrome 39, to be released within 12 weeks, will treat some sites as untrusted, accelerating the transition and user woes.
---------------------------------------------
http://www.scmagazine.com/google-acceleration-of-sha-1-deprecation-draws-resistance/article/369804/




*** Fresh phish served with a helping of AES ***
---------------------------------------------
Attempts to use encryption to make analysis of phishing websites more difficult may be a sign of things to come.  Obfuscated phishing sites are nothing new. Various techniques such as JavaScript encryption tools (which offer very primitive obfuscation), data URIs (where the page content is mostly Base64-encoded), and ..
---------------------------------------------
http://www.symantec.com/connect/blogs/fresh-phish-served-helping-aes




*** Researchers discover two SQL injection flaws in WordPress security plugin ***
---------------------------------------------
High-Tech Bridge discovered two SQL injection vulnerabilities in All In One WordPress Security and Firewall plugin and notified the vendor.
---------------------------------------------
http://www.scmagazine.com/researchers-discover-two-sql-injection-flaws-in-wordpress-security-plugin/



*** Malware Bypasses Chrome Extension Security Feature ***
---------------------------------------------
Originally created to extend a browser's functionality, browser extensions have become yet another tool for cybercriminals' schemes. Earlier this year, Google has addressed the issue of malicious browser extensions by ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-bypasses-chrome-extension-security-feature/




*** Red Hat Enterprise Virtualization Manager 3.4.2 update ***
---------------------------------------------
It was discovered that, when loading XML/RSDL documents, the oVirt Engine back end module used an insecure DocumentBuilderFactory. A remote, authenticated attacker could use this flaw to read files accessible to the user running the ..
---------------------------------------------
https://rhn.redhat.com/errata/RHSA-2014-1161.html




*** Microsoft Security Bulletin Advance Notification for September 2014 ***
---------------------------------------------
This is an advance notification of security bulletins that Microsoft is intending to release on September 9, 2014. ... The following table summarizes the security bulletins for this month in order of severity. Bulletin 1..
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS14-SEP




*** renotification Security Advisory for Adobe Reader and Acrobat (APSB14-20) ***
---------------------------------------------
Adobe is planning to release security updates on Tuesday, September 9, 2014 for Adobe Reader and Acrobat for Windows and Macintosh ..
---------------------------------------------
http://helpx.adobe.com/security/products/reader/apsb14-20.html




*** Apple verspricht mehr Sicherheit nach Hacker-Angriff ***
---------------------------------------------
Apple-Nutzer sollen künftig über Versuche zur Passwortänderung informiert werden, um Datendiebstahl zu verhindern.
---------------------------------------------
http://futurezone.at/digital-life/apple-verspricht-mehr-sicherheit-nach-hacker-angriff/83.899.266




*** Apache POI 3.10.1-20140818 security issues with OOXML ***
---------------------------------------------
The Apache POI project is pleased to announce the release of POI 3.10.1-20140818. This release is a bugfix release to fix two...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014090022




*** Security of Password Managers ***
---------------------------------------------
At USENIX Security this year there were two papers studying the security of password managers: David Silver, Suman Jana, and Dan Boneh, "Password Managers: Attacks and Defenses." Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song, "The Emperors New Password Manager: Security Analysis of Web-based Password Managers." Its interesting work, especially because it looks at security problems in something that ..
---------------------------------------------
https://www.schneier.com/blog/archives/2014/09/security_of_pas.html




*** BankAPI - What is it? ***
---------------------------------------------
BankAPI is a secure decentralized messaging system to send files/messages between banks and other types of financial institutions. There is a reference implementation of the protocol which can be used off-the-shelf, which is production grade quality and is not only for testing and demonstration, although it ..
---------------------------------------------
https://github.com/trustly/bankapi/




*** Remote-Code-Execution-Lücke in F5 BigIP ***
---------------------------------------------
Im Hochverfügbarkeits-Modus wiesen die Load-Balancer der Firma F5 ein Sicherheitsproblem auf, das Angreifern die volle Kontrolle über das System ermöglicht. Der Hersteller bessert nach.
---------------------------------------------
http://www.heise.de/security/meldung/Remote-Code-Execution-Luecke-in-F5-BigIP-2356557.html






More information about the Daily mailing list