[CERT-daily] Tageszusammenfassung - Donnerstag 18-09-2014

Thu Sep 18 18:08:22 CEST 2014

=======================
= End-of-Shift report =
=======================

Timeframe:   Mittwoch 17-09-2014 18:00 − Donnerstag 18-09-2014 18:00
Handler:     Robert Waldner
Co-Handler:  Alexander Riepl


*** How Cops Can Still Pull Data Off Your Locked iPhone, In Spite Of Apple ***
---------------------------------------------
A reminder to iPhone owners cheering Apple's latest privacy win: Just because Apple will no longer help police to turn your smartphone inside out doesn't mean it can prevent the cops from vivisecting the device on their own. On Wednesday evening Apple made news ..
---------------------------------------------
http://www.wired.com/2014/09/apple-iphone-security/


*** SA-CONTRIB-2014-091 - Survey Builder - Cross Site Scripting (XSS) ***
---------------------------------------------
When viewing surveys at "/surveys", the survey titles printed out are not sanitized. Any potentially dangerous code in the survey titles is also rendered. This vulnerability is mitigated by the fact that a user must have the "Create Survey" permission ..
---------------------------------------------
https://www.drupal.org/node/2340069


*** SA-CONTRIB-2014-088 - Mollom - Cross-site scripting (XSS) ***
---------------------------------------------
Mollom offers a feature to report submitted content as inappropriate which allows end users to indicate that a piece of site content is objectionable or out of place. When reporting content, the content title is not sufficiently sanitized to prevent cross-site scripting (XSS) attacks. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the content type must ..
---------------------------------------------
https://www.drupal.org/node/2340029


*** Bugtraq: APPLE-SA-2014-09-17-2 Apple TV 7 ***
---------------------------------------------
http://www.securityfocus.com/archive/1/533468


*** D-BUS Buffer Overflow and Multiple Processing Flaws Let Local Users Obtain Elevated Privileges and Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1030864


*** Apple OS X Multiple Flaws Let Remote Users Execute Arbitrary Code and Local Users Gain Elevated Privileges and Obtain Potentially Sensitive Information ***
---------------------------------------------
http://www.securitytracker.com/id/1030868


*** Open Web App Security Project releases new app dev opus ***
---------------------------------------------
The global security community has completed an 18-month effort to produce a guide it is hoped will boost the standard of web application testing and address new and dangerous technologies. Version 4 of the Open Web App Security Projects (OWASPs) Testing Guide was produced by more than 60 security bods from around the world with a core lead team of four.
---------------------------------------------
http://www.theregister.co.uk/2014/09/18/guide_to_obliterating_web_apps_published/


*** Yokogawa CENTUM and Exaopc Vulnerability ***
---------------------------------------------
Tod Beardsley of Rapid7 Inc., and Jim Denaro of CipherLaw, have identified an authentication vulnerability and released proof-of-concept (exploit) code for the Yokogawa CENTUM CS 3000 series and Exaopc products. JPCERT and Yokogawa have mitigated this vulnerability.
---------------------------------------------
https://ics-cert.us-cert.gov//advisories/ICSA-14-260-01