[CERT-daily] Tageszusammenfassung - Mittwoch 29-06-2016

Wed Jun 29 18:07:00 CEST 2016

=======================
= End-of-Shift report =
=======================

Timeframe:   Dienstag 28-06-2016 18:00 − Mittwoch 29-06-2016 18:00
Handler:     Alexander Riepl
Co-Handler:  Robert Waldner

*** How Red Hat uses CVSSv3 to Assist in Rating Flaws ***
---------------------------------------------
Humans have been measuring risk since the dawn of time. "Im hungry, do I go outside my awesome cave here and forage for food? There might be something bigger, scarier, and hungrier than me out there...maybe I should wait?" Successfully navigating through life is a series of Risk/Reward calculations made each and every day. Sometimes, ideally, the choices are small ("Do I want fries with that?") while others can lead to catastrophic outcomes if the scenario isnt fully
---------------------------------------------
https://access.redhat.com/blogs/766093/posts/CVSSv3


*** How to Compromise the Enterprise Endpoint ***
---------------------------------------------
Posted by Tavis Ormandy.Symantec is a popular vendor in the enterprise security market, their flagship product is Symantec Endpoint Protection. They sell various products using the same core engine in several markets, including a consumer version under the Norton brand. Today we're publishing details of multiple critical vulnerabilities that we discovered, including many wormable remote code execution flaws.These vulnerabilities are as bad as it gets.
---------------------------------------------
http://googleprojectzero.blogspot.com/2016/06/how-to-compromise-enterprise-endpoint.html


*** E-Mail-Verschlüsselung für jedermann: Volksverschlüsselung steht bereit ***
---------------------------------------------
Ab sofort können Windows-Nutzer die kostenlose Volksverschlüsselungs-Software nutzen, um E-Mails verschlüsselt über gängige Clients zu verschicken.
---------------------------------------------
http://heise.de/-3250728


*** Europäisches Konsortium für cloud-basierte Unterschriften und Siegel gegründet ***
---------------------------------------------
Zum Start der eIDAS-Verordnung haben euopäische Signatur-Dienstleister auf Initiative von Adobe das Cloud Signature Consortium (CSC) gegründet. Es soll einen offenen Standard für cloud-basierte Signaturen und Siegel erarbeiten.
---------------------------------------------
http://heise.de/-3250807


*** Malware gibt sich als WhatsApp aus und stiehlt Daten ***
---------------------------------------------
Auch andere Android-Apps wie Uber oder der Google Play Store wird von der Schadsoftware imitiert, um Kreditkartendaten zu erbeuten.
---------------------------------------------
http://futurezone.at/digital-life/malware-gibt-sich-als-whatsapp-aus-und-stiehlt-daten/207.034.141


*** Home security systems hacked with 1234 password - Update ***
---------------------------------------------
Many smart home security systems come with standard passwords. Potential intruders can deactivate them online and use them to spy on homes - the affected systems are in use in many countries globally.
---------------------------------------------
http://www.heise.de/ct/artikel/Home-security-systems-hacked-with-1234-password-3248831.html


*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: WebSphere Application Server Liberty API Discovery feature has potential vulnerability (CVE-2016-2945) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21984502
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Power Hardware Management Console (CVE-2016-2108, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109) ***
http://www.ibm.com/support/docview.wss?uid=nas8N1021361
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in java affect Power Hardware Management Console (CVE-2016-3426 ) ***
http://www.ibm.com/support/docview.wss?uid=nas8N1021385
---------------------------------------------
*** IBM Security Bulletin: Cross Site Scripting (XSS) security vulnerabilities in IBM WebSphere Commerce (CVE-2016-2862) ***
http://www.ibm.com/support/docview.wss?uid=swg21983625
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Tivoli Storage Productivity Center (CVE-2016-0363) ***
http://www.ibm.com/support/docview.wss?uid=swg21986168
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in Open Source BeanShell has been addressed by IBM Kenexa LCMS Premier (CVE-2016-2510) ***
http://www.ibm.com/support/docview.wss?uid=swg21985108
---------------------------------------------
*** IBM Security Bulletin: IBM Tealeaf Customer Experience installers vulnerable to attack (CVE-2016-2542) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21981024
---------------------------------------------
*** IBM Security Bulletin: Security Bulletin: Vulnerabilities in Ruby on Rails affect IBM License Metric Tool v9, IBM BigFix Inventory v9 and IBM Endpoint Manager for Software Use Analysis v9 & v2.2 ***
http://www-01.ibm.com/support/docview.wss?uid=swg21985099
---------------------------------------------
*** Security Bulletin: Vulnerabilities in OpenSSL affect Power Hardware Management Console (CVE-2016-2108, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109) ***
http://www-01.ibm.com/support/docview.wss?uid=nas8N1021361
---------------------------------------------
*** Security Bulletin: Vulnerabilities in java affect Power Hardware Management Console (CVE-2016-3426 ) ***
http://www-01.ibm.com/support/docview.wss?uid=nas8N1021385
---------------------------------------------