[CERT-daily] Tageszusammenfassung - Donnerstag 3-03-2016

Daily end-of-shift report team at cert.at
Thu Mar 3 18:06:38 CET 2016


=======================
= End-of-Shift report =
=======================

Timeframe:   Mittwoch 02-03-2016 18:00 − Donnerstag 03-03-2016 18:00
Handler:     Stephan Richter
Co-Handler:  Alexander Riepl



*** Cisco Unified Communications Domain Manager Cross-Site Scripting Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-cucdm




*** LibreSSL Unaffected By DROWN ***
---------------------------------------------
The OpenBSD people forked and heavily cleaned up OpenSSL to create LibreSSL due to dissatisfaction with the maintainance of OpenSSL, culminating in the heartbleed bug. The emphasis has been on cleaning up the code and improving security, which includes removing things such as SSL2 which has fundamental security flaws. As a result, LibreSSL is not ..
---------------------------------------------
http://it.slashdot.org/story/16/03/02/1620221/libressl-unaffected-by-drown




*** Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2016 ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl




*** Cisco Prime Infrastructure Log File Remote Code Execution Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-cpi1




*** Schneider Electric Building Operation Automation Server Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a vulnerability in servers programmed with Schneider Electric's StruxureWare Building Operation software.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01




*** Rockwell Automation Allen-Bradley CompactLogix Reflective Cross-Site Scripting Vulnerability ***
---------------------------------------------
This advisory is a follow-up to the alert titled ICS-ALERT-15-225-01A Rockwell Automation 1766-L32 Series Vulnerability that was published August 13, 2015, on the NCCIC/ICS-CERT web site. This advisory contains mitigation details for a cross-site scripting vulnerability in Rockwell Automation's CompactLogix application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-061-02




*** Windows Built-In PDF Reader Exposes Edge Browser To Hacking ***
---------------------------------------------
Edge, Microsofts new browser, uses the WinRT PDF library to automatically embed and present PDF files while navigating the web. This is what Java does with applets, and Flash with SWF files -- it unintentionally allows a hacker to append malicious code to PDF files and trigger drive-by attacks, which exploit WinRT ..
---------------------------------------------
http://news.slashdot.org/story/16/03/02/2210256/windows-built-in-pdf-reader-exposes-edge-browser-to-hacking




*** Open-Xchange Guard Access Control Flaw Lets Remote Authenticated Users Obtain Private Keys in Certain Cases ***
---------------------------------------------
http://www.securitytracker.com/id/1035174




*** Google Analytics Counter - Moderately Critical - CSRF - SA-CONTRIB-2016-011 ***
---------------------------------------------
The Google Analytics Counter module provides total pageview counts for each page on a website. In that it is similar to the core Statistics module counter, but it is much lighter and ultimately faster because it draws on ..
---------------------------------------------
https://www.drupal.org/node/2679515




*** Register now for the International NCSC One Conference 2016 ***
---------------------------------------------
Protecting Bits & Atoms is the theme for our international One Conference 2016. It is especially timely given the increasingly connected physical and digital worlds and how information and communication technologies (ICT) have ingrained themselves into the very fabric of our society. The ONE conference will take place on Tuesday April 5 and Wednesday April 6 at the World Forum in The Hague, The Netherlands.
---------------------------------------------
https://www.ncsc.nl/english/current-topics/news/register-now-for-the-international-ncsc-one-conference-2016.html




*** Wie Betrüger Apple Pay missbrauchen können ***
---------------------------------------------
Apple Pay ist praktisch und gilt als sicher. Doch das System lässt sich von Kriminellen missbrauchen, um digitale Kreditkartenkopien zu erstellen. 
---------------------------------------------
http://www.golem.de/news/security-wie-betrueger-apple-pay-missbrauchen-koennen-1603-119537.html




*** Java Deserialization Attacks with Burp ***
---------------------------------------------
This blog is about Java deserialization and the Java Serial Killer Burp extension. If you want to download the extension and skip past all of this, head to the Github page here. The recent Java deserialization attack that was discovered has provided a large window of opportunity for penetration testers to gain access to the underlying systems that Java applications communicate with.
---------------------------------------------
https://blog.netspi.com/java-deserialization-attacks-burp/




*** Valve informiert Steam-Nutzer über Weihnachts-Datenpanne ***
---------------------------------------------
Fast drei Monate nach der massiven Datenpanne informiert Valve nun die betroffenen Nutzer. Die hatten das Problem in der Zwischenzeit wahrscheinlich längst vergessen.
---------------------------------------------
http://heise.de/-3127829






More information about the Daily mailing list