[CERT-daily] Tageszusammenfassung - Dienstag 16-09-2014

Tue Sep 16 18:07:14 CEST 2014

=======================
= End-of-Shift report =
=======================

Timeframe:   Montag 15-09-2014 18:00 − Dienstag 16-09-2014 18:00
Handler:     Robert Waldner
Co-Handler:  Alexander Riepl


*** Security updates available for Adobe Reader and Acrobat (APSB14-20) ***
---------------------------------------------
http://blogs.adobe.com/psirt/?p=1130


*** THREE QUARTERS of droid phones open to web page spy bug ***
---------------------------------------------
Metasploit module gobbles KitKat SOP slop A Metasploit module has been developed to easily exploit a dangerous flaw in 75 percent of Android devices that allows attackers to hijack a users open websites.
---------------------------------------------
http://www.theregister.co.uk/2014/09/16/three_quarters_of_droid_phones_open_to_web_page_spy_bug/


*** Attackers tapping on SNMP door to see if its open ***
---------------------------------------------
SANS spots new, dumb attack Googles DNS IP address is being spoofed by an attacker, apparently in an attempt to DDoS hosts vulnerable to a flaw in the SNMP protocol.
---------------------------------------------
http://www.theregister.co.uk/2014/09/16/attackers_tapping_on_snmp_door_to_see_if_its_open/


*** Kindle durch versteckte Codes in E-Books gefährdet ***
---------------------------------------------
Durch eine Sicherheitslücke im E-Reader Kindle können Angreifer an die Daten von Amazon-Kunden gelangen. Die Lücke tritt zum zweiten Mal auf.
---------------------------------------------
http://futurezone.at/digital-life/kindle-durch-versteckte-codes-in-e-books-gefaehrdet/86.019.903


*** Encrypt-then-MAC für TLS standardisiert ***
---------------------------------------------
Eine neue TLS-Erweiterung ermöglicht es, die Reihenfolge zwischen Authentifizierung und Verschlüsselung zu ändern. Die bisherige Methode führte zu Sicherheitsproblemen wie der Lucky-Thirteen-Attacke. ... Gegen die Lucky-Thirteen-Attacke wurden Workarounds in die gängigen Browser und TLS-Bibliotheken eingebaut, aber trotzdem gab es den Wunsch, das Problem generell zu beheben.
---------------------------------------------
http://www.golem.de/news/verschluesselung-encrypt-then-mac-fuer-tls-standardisiert-1409-109273.html


*** Ungestopftes Datenleck in Androids Open-Source-Browser ***
---------------------------------------------
Eine Lücke im AOSP-Browser von Android erlaubt es Webseiten die Daten anderer Seiten auszulesen. Die App wird in fast allen Android-Versionen vor Kit Kat mitgeliefert und dient vielen Custom-ROMs ebenfalls als Standard-Browser.
---------------------------------------------
http://www.heise.de/security/meldung/Ungestopftes-Datenleck-in-Androids-Open-Source-Browser-2391930.html


*** AppLock Vulnerability Leaves Configuration Files Open for Exploit ***
---------------------------------------------
We have previously discussed about certain file locker apps that fail to do hide files properly. We recently came across yet another file locker app, AppLock, which has the same issue. However, the vulnerability concerning this app goes beyond improperly hiding files - the vulnerability can ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/applock-vulnerability-leaves-configuration-files-open-for-exploit/


*** Twitter Vulnerability Allows Hacker to Delete Credit Cards from Any Twitter Account ***
---------------------------------------------
At the beginning of this month, just like other social networks, Twitter also started paying individuals for any flaws they uncover on its service with a fee of $140 or more offered per flaw under its new Bug Bounty program, and here comes the ..
---------------------------------------------
http://thehackernews.com/2014/09/twitter-vulnerability-allows-hacker-to_16.html


*** Metasploit gems from scratch ***
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2014/09/16/metasploit-gems-from-scratch